You are on page 1of 45

Cyber Security Team

Database Security

A threat from within

Strictly Private
and Confidential

June 2015
Database Security A threat from within June 2015
PwC
Table of Contents

Section Overview Page

1 Introduction: Threats to DB Security 1

2 Architecture & Vocabulary 8

3 Access Control & Application Security 14

4 Data Anonymization 21

5 Authentication 24

6 Governance, Risk and Compliance 27

7 Database Vulnerability Assessment 29

8 Database Audit & Protection 32

9 Database Security in the Cloud 37

10 Questions and Answers 40


Section 1
Introduction: Threats to DB Security

Database Security A threat from within June 2015


PwC 1
Section 1 Introduction: Threats to DB Security

Databases: an attractive target

96% of records breached are from


databases

Database records stolen


in early-2014

May:

March: eBay
(145M)
Credentials Korean
Telecom
Email addresses February:
(12M)
Kickstarter
Credit cards information (5.6M)
Social security numbers January:

Medical records Snapchat


(4.5M)
etc
Source: Verizon - Data breach investigations report 2015

Database Security A threat from within June 2015


PwC 2
Section 1 Introduction: Threats to DB Security

Top 10 Database Threats

Excessive privileges 1 2 SQL injections


Unauthorized access & abuse 19% of web app attacks

Malware 3 4 Weak audit trail


Compromised Hosts Unable to detect

Backup exposure 5 6 Weak authentications


Often unprotected media Bruteforce, stolen credentials

DB vulnerabilities & 7 8 Unmanaged


misconfiguration Sensitive data

Denial of Service 9 10 Limited security


expertise & education

Database Security A threat from within June 2015


PwC 3
Section 1 Introduction: Threats to DB Security

Top 10 Database Threats

Excessive privileges 1 2 SQL injections


Unauthorized access & abuse 19% of web app attacks

But whos to
Malware 3 blame? 4 Weak audit trail
Compromised Hosts Unable to detect

Backup exposure 5 6 Weak authentications


Often unprotected media Bruteforce, stolen credentials

DB vulnerabilities & 7 8 Unmanaged


misconfiguration Sensitive data

Denial of Service 9 10 Limited security


expertise & education

Database Security A threat from within June 2015


PwC 4
Section 1 Introduction: Threats to DB Security

Who are the stakeholders (threats) of Database Security?

CISO Auditors IT Security Business You ?

DBAs End Users

Developers Storage/Backup Admins

Network Admins
System Admins
Database Security A threat from within June 2015
PwC Testers 5
Section 1 Introduction: Threats to DB Security

Oracle Security History


1992
Strong
authentication
Oracle Label
(PKI, Kerberos,

7 8i 9i
Security
RADIUS) Fine Grained
Global roles
Native Network Auditing
Encryption Virtual Private
Database
Database Native
Auditing

Activity Separation of
Secure Backup Monitoring & Duty

10g 11g 12c


Transparent Data Database New Audit
Encryption Firewall Framework
Oracle Audit & Privilege Analysis Advanced
Database Vault Sensitive data Security Options
Discovery are embedded

2015
Database Security A threat from within June 2015
PwC 6
Section 1 Introduction: Threats to DB Security

Native Security provided by Oracle and the others

Virtual Private Label Based


Database Access Control
Materialized Materialized Dynamic Materialised Materialised Materialised
Views Query Tables Views only Views Views Views
Audit via Audit via
Audit Audit Audit Audit
Module Module

RBAC (Roles) RBAC (Roles) No Roles RBAC (Roles) RBAC (Roles) RBAC (Roles)

Transparent Transparent Manual Manual Transparent Transparent


Encryption Encryption Encryption Encryption Encryption Encryption
Anonymization No No No No
Data Masking
(optional) Anonymization Anonymization Anonymization Anonymization

Synonyms Synonyms No Synonyms Synonyms Synonyms No Synonyms

Oracle IBM DB2 MySQL PostgreSQL SQL Server Sybase

Database Security A threat from within June 2015


PwC 7
Section 2
Architecture & Vocabulary

Database Security A threat from within June 2015


PwC 8
Section 2 Architecture & Vocabulary

Oracle Architecture

Memory (SGA)
Instance (SID)

Background Processes

Database
Datafiles, Online Redo logs,
Controlfiles, Backup files,
Parameter Files
Database Security A threat from within June 2015
PwC 9
Section 2 Architecture & Vocabulary

Logical vs Physical

Database

Schema Tablespace Datafile

Segment

Extent

Database Bloc O.S. Bloc

Database Security A threat from within June 2015


PwC 10
Section 2 Architecture & Vocabulary

Logical Structures

Tables Constraints Indexes Views

Procedures
Synonyms Profiles Sequences & Functions

Triggers Packages

Database Security A threat from within June 2015


PwC 11
Section 2 Architecture & Vocabulary

Dictionary & Catalog


TBS USERS TBS SYSTEM

Dictionary
Tables Information about the database itself (Metadata)

Tables SYS
Indexes

Constraints
Catalog
Views on the dictionary

Views Views SYSTEM

Database Security A threat from within June 2015


PwC 12
Section 2 Architecture & Vocabulary

Structured Query Language - SQL


SQL is a special-purpose programming language designed for managing data
held in a database (RDBMS).

Data Definition Language


Define the structure of tables and other
objects
CREATE , ALTER, DROP or TRUNCATE

Data Manipulation Language


Use and manipulate the data

SELECT, INSERT, UPDATE or DELETE

Data Control Language


Define permissions for users/schemas

GRANT or REVOKE
Database Security A threat from within June 2015
PwC 13
Section 3
Access Control & Application Security

Database Security A threat from within June 2015


PwC 14
Section 3 Access Control & Application Security

Strategy to Secure Data

Classify
Data/Users

STRATEGY
TO SECURE
DATA
Map Anticipate
Controls Threats

Database Security A threat from within June 2015


PwC 15
Section 3 Access Control & Application Security

Role Based Access Control (RBAC)


privileges roles

Public Business Users

Internal
DB2 DB3 Developers
DB1

Confidential
Managers

Databases
Top Secret
Secu. Admins

Data Roles &


Classification Responsibilities

Database Security A threat from within June 2015


PwC 16
Section 3 Access Control & Application Security

Data Classification against the Triad

CONFIDENTIALITY INTEGRITY
Classification against their contents Impact when modifying data
Secret/Confidential/Internal/Public High/Medium/Low

AVAILABILITY
What Availability is required?
90%? 99.5%?
Database Security A threat from within June 2015
PwC 17
Section 3 Access Control & Application Security

Misconfiguration Risk with Privileges

App. Owner
App. Table
App. Table
~~~~
App. Table
~~~~
~~~~ App. Table
~~~~
~~~~
~~~~
Thomas ~~~~~~~~
~~~~
~~~~
~~~~
ANY ~~~~

With
Admin/Grant
!
Option
!
Ana Mike

Database Security A threat from within June 2015


PwC 18
Section 3 Access Control & Application Security

Misconfiguration Risk with roles

Insert Select
Delete
Update Insert
Business User Select Select Select
DB

Application Role = DBA Access !!

Database Security A threat from within June 2015


PwC 19
Section 3 Access Control & Application Security

Misconfiguration Risk with Profile

Password Lifetime
Password Complexity
Failed Login Attempts
CPU per Session
Lambda
Connect Time

Beware to default or Unlimited value

Database Security A threat from within June 2015


PwC 20
Section 4
Data Anonymization

Database Security A threat from within June 2015


PwC 21
Section 4 Data Anonymization

Data Anonymization

Business Senior External Developer Junior


user DBA provider DBA

Production Testing
NAME SSN SALARY NOTES Anonymize
Copy NAME SSN SALARY NOTES

Dupont 203-55-1478 40,000 - JaOXnRtx


Dupont 123-45-6789
203-55-1478 40,000 redacted
-

Will be Will be
Schmitt 325-65-1469 60,000 GBerilQ
Schmitt 170-96-1765
325-65-1469 60,000 redacted
promoted promoted

Data encryption Data masking


Repeatable: an input always Delete or replace with a
gives the same result. constant value.
Data scrambling
Replace with a random
value of same format.
Database Security A threat from within June 2015
PwC 22
Section 4 Data Anonymization

Data Masking in Production

Views to hide rows and/or column


Synonyms to replace views name by the original table one (or used to
hide the use of Database Link)
Virtual Private Databases to segregate data from different customers

Database Security A threat from within June 2015


PwC 23
Section 5
Authentication

Database Security A threat from within June 2015


PwC 24
Section 5 Authentication

Authentication
# root
Strong Authentication OS LEVEL
Accountability
Least Privileges
Non Repudiation
OS USER
# oracle STRONG AUTHENTICATION
Monitoring & Blocking
Users DB LEVEL
High Priv. Accounts sys (dba)

Database

LDAP USER
DB USER

Data Leakage

Database Security A threat from within June 2015


PwC 25
Section 5 Authentication

Oracle Encryption

KEY VAULT

Database

Wallet

OR TDE
Secure
Backup

Data
HSM
DBA Pump

()
Database Security A threat from within June 2015
PwC 26
Section 6
Governance, Risk and Compliance

Database Security A threat from within June 2015


PwC 27
Section 6 Governance, Risk and Compliance Identity & Access
Management

Security Data Operational


Security,
Governance, Risk
Appli. Monitoring &
& Compliance
Controls (Audit)
Host

Internal Network

Perimeter & Cloud

Physical

Plan, Policies & Procedures,


Baselines, Awareness

Database Security A threat from within June 2015


PwC 28
Section 7
Database Vulnerability Assessment

Database Security A threat from within June 2015


PwC 29
Section 7 Database Vulnerability Assessment

Database Vulnerability Assessment

Suspicious admin Unusual hour


logins activities

Missing patches Weak passwords Accounts


sharing

Configuration Misconfigured
changes privileges

Database Security A threat from within June 2015


PwC 30
Section 7 Database Vulnerability Assessment

ODAT: penetration testing for Oracle Database

Accounts & passwords


guessing
4 HTTP requests
http://badguy.com/
2

5
TCP port scanning

3 ~~~
Columns
~~~
scanning

1 SID: ORCL
6
7
SID scanning
Systems commands &
File upload, download Remote shell access
& deletion

Source: https://github.com/quentinhardy/odat

Database Security A threat from within June 2015


PwC 31
Section 8
Database Audit & Protection

Database Security A threat from within June 2015


PwC 32
Section 8 Database Audit & Protection

Audit Trail & Fine Grained Auditing

Audit Audit table


Audit Trail table
Fast & Simple
Non-selective

OS file
Audit
events
Fine Grained Audit
Very flexible
Complex
~~~
System log
~~~
~~~
~~~

Interoperability issues
Performance issues
Audit Trail can be accessed and altered!

Database Security A threat from within June 2015


PwC 33
Section 8 Database Audit & Protection

1- Oracle Audit Vault & Database Firewall

Audit Vault centralizes audit logs from the databases, the OS, Active Directory
It allows easy reporting and custom alerts
Cooperate with Database Firewall, which filters request made to the database

Is it not impacting the performance?


Source: Oracle Audit Vault documentation

Database Security A threat from within June 2015


PwC 34
Section 8 Database Audit & Protection

2- IBM Infosphere Guardium

Switch

Span monitoring
? S-TAP

Is it safe? F-TAP
Local traffic Change of (ip, port)

Collector
Change of (ip, port)

! Policies

Aggregator

Real-time alerts Reports Post-mortem reports

Database Security A threat from within June 2015


PwC 35
Section 8 Database Audit & Protection

Other players in the market

Database Security A threat from within June 2015


PwC 36
Section 9
Database Security in the Cloud

Database Security A threat from within June 2015


PwC 37
Section 9 Database Security in the Cloud

Databases in the Cloud


Container database

Consolidation dbs into a single container


Multi-tenancy
Elasticity
Pluggable databases
Segregation of data
Database protection

Auditing & Policies


monitoring

! ! ! Cloud Provider Yellow App


DBA DBA
Apps
Apps
Apps Alerts

Database Vault

Database Security A threat from within June 2015


PwC 38
Thank you!
Section 10
Questions and Answers

Database Security A threat from within June 2015


PwC 40
Section 10 Questions and Answers

Multitenancy in the Database Source: Oracle Multitenant documentation

Oracle Multitenant:
Consolidate several databases into a single
container:
Share resources & ease maintenance
Preserve segregation of data
Databases are pluggable

A Cloud infrastructure for Databases which


provides:
Elasticity & cost reduction
Flexibility
Segregation

Database Security A threat from within June 2015


PwC 41
Section 10 Questions and Answers

Database protection Source: Oracle Database Vault documentation

Database Vault:
Realm-based authorization
Preserve segregation of duties
Privileged accounts cannot access sensitive
data or data from other databases
Restriction according to Business Hours
Security Layer on the top of the DBAs

Database Security A threat from within June 2015


PwC 42